Tips to improve security?

Tips to improve security?

Post by Roland Verland » Fri, 30 Aug 2002 09:06:28



Someone recently hacked a (Red Hat 6.2) Linux box of mine. Soo does
anyone know any good tips to improve security?
 
 
 

Tips to improve security?

Post by Bit Twist » Fri, 30 Aug 2002 09:20:30



Quote:> Someone recently hacked a (Red Hat 6.2) Linux box of mine. Soo does
> anyone know any good tips to improve security?

Upgrade so you can get the packfilter firewall.

First, Unplug your system from the internet, Your machine is a menace to
society and you until it's cleaned it up.

Here is why you need a FORMAT and clean install when your box IS cracked.
   http://www.linuxdoc.org/LDP/LG/issue36/kuethe.html
4'th paragraph.

Think about that paragraph.
You cannot use ANY of your pc's utilities to see if your box is cracked
and find what addtional files are installed.

http://www.chkrootkit.org   has a program for checking for rootkit installs
on the cracked box. That will tell you about known root kits if you have one.
The cracker may not have installed a rootkit.

What you can do is have a dual boot system. You install a second copy of
your OS and label it Auditor. You never, EVER mount it from the internet OS.

Some have suggested install on a seperate disk which is left unplugged until
you want to use it.

Anytime you THINK you've been cracked, you can boot into Auditor, mount the
internet os partition and start checking the internet OS partitions for new
files and whatnot.

Any time you KNOW your're box is cracked, you should:
o       Pull the box off the network. You do not want the police taking
        you and your equipment to jail because a cracker used it
        to crack a bank or military site. If the cracker removes their
        backtracks to their box, you get to do the jail time.

o       Put the hardrive(s) into a standalone machine,
        mount the disk(s) readonly,
        save any data, user files, ...,

o       Save a full copy of the disk(s) for your forensic attempt,
        save the disk(s) for FBI forensics if it's a Big, BIG dollar loss.

o       Re-FORMAT disk drives and do a fresh install from known clean
        source to remove any possible back doors and/or password sniffers
        the cracker installed.

o       Restore your saved files, verify that the restored files
        do not have the suid bit set  "find / -perm +6000 -ls".

o       Have everyone on the box's network change passwords and
        tell them that the cracker may have been running a
        password sniffer so they will not use the passwords ever again.
        Any other boxes logged into from the cracked box should
        have their passwords changed.

Install a modern firewall. Example: iptables is better than ipchains.
If you have a spare linux computer, you can use it to port scan
your box with nmap from http://www.insecure.org/nmap/

Get all the vendor updates to your distro.

You might want to read Armoring Linux
        http://www.linuxdoc.org/HOWTO/Security-Quickstart-HOWTO/index.html
        http://www.enteract.com/~lspitz/linux.html
http://www.ibiblio.org/pub/Linux/docs/HOWTO/Security-Quickstart-Redha...
http://www.ibiblio.org/pub/Linux/docs/linux-doc-project/solrhe/Secur
ing-Optimizing-Linux-RH-Edition-v1.3.txt

        http://www.linuxsecurity.com/docs/colsfaq.html
        http://www.securityportal.com/lskb/articles/
        http://www.securityportal.com/lasg/
keep an eye on
        http://www.cert.org/advisories/

For cheap install cd's
http://cart.cheapbytes.com/cgi-bin/cart
top left under Products.
Pink Tie is Redhat, RH wouldn't let them use the Redhat name
on the inexpensive cds.

For people accross the pond,
        http://www.linuxemporium.co.uk
        http://www.linux123.co.uk/
and for down under fokes
        http://www.cetustech.com.au/

Never login as root unless you have to.
Always login from the console, no su, telnet, ssh,..
That way a keystroke logger in your user account cannot
catch your root login password.

You can audit your system if you are using the  rpm   package manager with
  rpm -Va | grep '..5' > /tmp/verify.log
Runs for a while; more than 5 minutes.

/tmp/verify.log  will contain changes which you have made using
configuration tools

Hope crackers do not put in a rootkit which makes the rpm check obsolete.
I think this has happened, though not sure. On one of my boxes
it cored after about 2 minutes, log looked like it ran but never completes
the audit.

rpm -Va | grep '^..5' will give you a warm feeling about what changed.
That warm feeling might turn into the warm feeling you get when
you do not get to the bathroom in time.  :(

The cracker could install trojaned files some where else and modify
PATH to use them instead of the files you just checked.
You could look at the report and see
        S.5....T c /root/.bash_profile
        S.5....T c /root/.bashrc
You see that and say, "Ok, I did change those. No problem."
BZZZZzzit. WRONG answer, Cracker changed your PATH and you are
running his code.

It also does not show additional files. I have created a site file in
/etc/profile.d which puts my site/bin into PATH.

Cracker can add his own cracked.sh file to change/add to PATH and
create aliases to substitute a stock command for his code.

 
 
 

Tips to improve security?

Post by Nico Kadel-Garci » Fri, 30 Aug 2002 11:49:40



Quote:> Someone recently hacked a (Red Hat 6.2) Linux box of mine. Soo does
> anyone know any good tips to improve security?

Besides updating your OS to be one written this century, and keeping all the
updates up to date?

Tell us what you're running on the machine and how they got in, and we'll
give you more advice.

 
 
 

Tips to improve security?

Post by Roland Verlande » Fri, 30 Aug 2002 12:19:37





> > Someone recently hacked a (Red Hat 6.2) Linux box of mine. Soo does
> > anyone know any good tips to improve security?

> Besides updating your OS to be one written this century, and keeping all
the
> updates up to date?

> Tell us what you're running on the machine and how they got in, and we'll
> give you more advice.

RH6.2 was made in early 2000.
For updates, updates hadn't been applied for a while because of some probs
with the connection speed on the box that was hacked.
 
 
 

Tips to improve security?

Post by Roland Verlande » Fri, 30 Aug 2002 12:25:57




> > Someone recently hacked a (Red Hat 6.2) Linux box of mine. Soo does
> > anyone know any good tips to improve security?

> Upgrade so you can get the packfilter firewall.

> First, Unplug your system from the internet, Your machine is a menace to
> society and you until it's cleaned it up.

> Here is why you need a FORMAT and clean install when your box IS cracked.
>    http://www.linuxdoc.org/LDP/LG/issue36/kuethe.html
> 4'th paragraph.

> Think about that paragraph.
> You cannot use ANY of your pc's utilities to see if your box is cracked
> and find what addtional files are installed.

> http://www.chkrootkit.org   has a program for checking for rootkit
installs
> on the cracked box. That will tell you about known root kits if you have
one.
> The cracker may not have installed a rootkit.

> What you can do is have a dual boot system. You install a second copy of
> your OS and label it Auditor. You never, EVER mount it from the internet
OS.

> Some have suggested install on a seperate disk which is left unplugged
until
> you want to use it.

> Anytime you THINK you've been cracked, you can boot into Auditor, mount
the
> internet os partition and start checking the internet OS partitions for
new
> files and whatnot.

> Any time you KNOW your're box is cracked, you should:
> o       Pull the box off the network. You do not want the police taking
>         you and your equipment to jail because a cracker used it
>         to crack a bank or military site. If the cracker removes their
>         backtracks to their box, you get to do the jail time.

> o       Put the hardrive(s) into a standalone machine,
> mount the disk(s) readonly,
> save any data, user files, ...,

> o       Save a full copy of the disk(s) for your forensic attempt,
> save the disk(s) for FBI forensics if it's a Big, BIG dollar loss.

> o       Re-FORMAT disk drives and do a fresh install from known clean
>         source to remove any possible back doors and/or password sniffers
>         the cracker installed.

> o       Restore your saved files, verify that the restored files
> do not have the suid bit set  "find / -perm +6000 -ls".

> o       Have everyone on the box's network change passwords and
> tell them that the cracker may have been running a
> password sniffer so they will not use the passwords ever again.
> Any other boxes logged into from the cracked box should
> have their passwords changed.

> Install a modern firewall. Example: iptables is better than ipchains.
> If you have a spare linux computer, you can use it to port scan
> your box with nmap from http://www.insecure.org/nmap/

> Get all the vendor updates to your distro.

> You might want to read Armoring Linux
> http://www.linuxdoc.org/HOWTO/Security-Quickstart-HOWTO/index.html
>         http://www.enteract.com/~lspitz/linux.html

http://www.ibiblio.org/pub/Linux/docs/HOWTO/Security-Quickstart-Redha...

- Show quoted text -

Quote:> http://www.ibiblio.org/pub/Linux/docs/linux-doc-project/solrhe/Secur
> ing-Optimizing-Linux-RH-Edition-v1.3.txt

> http://www.linuxsecurity.com/docs/colsfaq.html
>         http://www.securityportal.com/lskb/articles/
>         http://www.securityportal.com/lasg/
> keep an eye on
>         http://www.cert.org/advisories/

> For cheap install cd's
> http://cart.cheapbytes.com/cgi-bin/cart
> top left under Products.
> Pink Tie is Redhat, RH wouldn't let them use the Redhat name
> on the inexpensive cds.

> For people accross the pond,
>         http://www.linuxemporium.co.uk
>         http://www.linux123.co.uk/
> and for down under fokes
>         http://www.cetustech.com.au/

> Never login as root unless you have to.
> Always login from the console, no su, telnet, ssh,..
> That way a keystroke logger in your user account cannot
> catch your root login password.

> You can audit your system if you are using the  rpm   package manager with
>   rpm -Va | grep '..5' > /tmp/verify.log
> Runs for a while; more than 5 minutes.

> /tmp/verify.log  will contain changes which you have made using
> configuration tools

> Hope crackers do not put in a rootkit which makes the rpm check obsolete.
> I think this has happened, though not sure. On one of my boxes
> it cored after about 2 minutes, log looked like it ran but never completes
> the audit.

> rpm -Va | grep '^..5' will give you a warm feeling about what changed.
> That warm feeling might turn into the warm feeling you get when
> you do not get to the bathroom in time.  :(

> The cracker could install trojaned files some where else and modify
> PATH to use them instead of the files you just checked.
> You could look at the report and see
> S.5....T c /root/.bash_profile
> S.5....T c /root/.bashrc
> You see that and say, "Ok, I did change those. No problem."
> BZZZZzzit. WRONG answer, Cracker changed your PATH and you are
> running his code.

> It also does not show additional files. I have created a site file in
> /etc/profile.d which puts my site/bin into PATH.

> Cracker can add his own cracked.sh file to change/add to PATH and
> create aliases to substitute a stock command for his code.

1. Packetfilter? Can't I just change some stuff on RH6.2 to get that? /me
dun like 7.3

2. Just read that

3. Okay

5. Okay (hard drives (there are 2) will be put into another machine that
hasnt been hacked and mounted as like /mnt/hacked to examine logs)

6. I already know that I have to re-format the drives and load a clean OS

7. Okay, will do nmap scan


 
 
 

Tips to improve security?

Post by Dragan Cvetkovi » Fri, 30 Aug 2002 12:47:57







> > > Someone recently hacked a (Red Hat 6.2) Linux box of mine. Soo does
> > > anyone know any good tips to improve security?

> > Besides updating your OS to be one written this century, and keeping all
> the
> > updates up to date?

> > Tell us what you're running on the machine and how they got in, and we'll
> > give you more advice.

> RH6.2 was made in early 2000.

Which still makes it last century product (remember that this one started
on 1/1/2001) :-)

Bye, Dragan

--
Dragan Cvetkovic,

To be or not to be is true. G. Boole      No it isn't.  L. E. J. Brouwer

 
 
 

Tips to improve security?

Post by Roland Verlande » Fri, 30 Aug 2002 14:15:11








> > > > Someone recently hacked a (Red Hat 6.2) Linux box of mine. Soo does
> > > > anyone know any good tips to improve security?

> > > Besides updating your OS to be one written this century, and keeping
all
> > the
> > > updates up to date?

> > > Tell us what you're running on the machine and how they got in, and
we'll
> > > give you more advice.

> > RH6.2 was made in early 2000.

> Which still makes it last century product (remember that this one started
> on 1/1/2001) :-)

lol didn't know that ;)
I was planning on updating that rh6.2 install to kernel 2.4, etc :(
 
 
 

Tips to improve security?

Post by Khayma » Fri, 30 Aug 2002 17:51:58




Quote:> Someone recently hacked a (Red Hat 6.2) Linux box of mine. Soo does
> anyone know any good tips to improve security?

Well, how was it hacked the last time?

Maybe you were running too many unnecessary services?
Maybe you were not updating ssh when you should have, etc, etc.

Look around www.linuxsecurity.org (my morning, lunch and evening must-read
place) and you will find guides.

Khay.

 
 
 

Tips to improve security?

Post by Nico Kadel-Garci » Fri, 30 Aug 2002 21:12:01







> > > Someone recently hacked a (Red Hat 6.2) Linux box of mine. Soo does
> > > anyone know any good tips to improve security?

> > Besides updating your OS to be one written this century, and keeping all
> the
> > updates up to date?

> > Tell us what you're running on the machine and how they got in, and
we'll
> > give you more advice.

> RH6.2 was made in early 2000.

Right. 2000 was the last year of the 20th century, not the first year of the
21st. (Yes, I'm a pedant.)

Quote:> For updates, updates hadn't been applied for a while because of some probs
> with the connection speed on the box that was hacked.

Then definitely don't expose to the net any box that you can't keep the
updates applied to. Can you drop the updates onto a CD or Zip disk or
something at work to bring them home?
 
 
 

Tips to improve security?

Post by Bill Hudso » Sun, 01 Sep 2002 00:14:10






>> > Someone recently hacked a (Red Hat 6.2) Linux box of mine. Soo does
>> > anyone know any good tips to improve security?

>> Upgrade so you can get the packfilter firewall.

[snipped]

Quote:> 1. Packetfilter? Can't I just change some stuff on RH6.2 to get that?
> /me dun like 7.3

The short answer is "no".  Its a 2.2 vs 2.4 kernel version difference.
 
 
 

Tips to improve security?

Post by Bill Unr » Sun, 01 Sep 2002 02:32:30






]>> > Someone recently hacked a (Red Hat 6.2) Linux box of mine. Soo does
]>> > anyone know any good tips to improve security?

Firstly, have you installed all of the security patches that Redhat has
put out? This is the zeroth step and without it nothing else you do will
amount to anything.
Then make sure that you only run (in /etc/inetd.conf or xinetd.d) that
you really need.
Then make sure that you have strong passwords for every user, (Eg make
sure that ALL users, including root, change their passwords
IMMEDIATELY).

Make sure that you have reinstalled the system, and have searched for
any suid files on the system
find / -perm +6000 -ls
and make sure each of those files should be suid or sgid. (No file in
your home directory should be. No file in /man or /tmp or /dev should
be).

 
 
 

Tips to improve security?

Post by Whoeve » Sun, 01 Sep 2002 03:42:53








> ]>> > Someone recently hacked a (Red Hat 6.2) Linux box of mine. Soo does
> ]>> > anyone know any good tips to improve security?

> Firstly, have you installed all of the security patches that Redhat has
> put out? This is the zeroth step and without it nothing else you do will
> amount to anything.

> Make sure that you have reinstalled the system, and have searched for
> any suid files on the system
> find / -perm +6000 -ls

How about this:
/bin/tcsh
foreach file (`find / -perm +6000`)
rpm -V `rpm -q --whatprovides $file`
end

- Show quoted text -

Quote:> and make sure each of those files should be suid or sgid. (No file in
> your home directory should be. No file in /man or /tmp or /dev should
> be).

 
 
 

1. need improved TIP

I need a replacement for tip.  My problems include:
        tip doesn't understand all of the high-speed modems I have
        tip times out before my high-speed modem gets synced
        tip doesn't understand [xyz]modem file transfers
        tip doesn't have a scripting language
Existing versions that I have found (using archie) are all two or
more years old, from when SLIP support was new.

2. localhost:0.0 vs :0

3. Top tip for improving the popularity of Linux

4. problems compiling GTK+

5. Wrapper for improving sendmail security??

6. Problem with Stealth64 DRAM PCI

7. How to improve security on a newly installed SunOS 4.1.3 system.

8. DHCP vulnerable?

9. Ideas for improved linux groupworking security?

10. Improve security in Open Server

11. Same [Q]: Improving Security....

12. Improved password security programs?

13. what should do next to improve security